← All posts

Privacy and Behaviour

Why Privacy Choices Are Harder Than They Look

People can care about privacy and still give data away. The more useful question is what the system makes easy, immediate, delayed, hidden, or hard.

You want to read the article, join the meeting, message the group, test the app, or finish the booking. A banner appears. A permission request appears. A new account asks for a little more information than seems necessary. You pause for a moment, but not for long. The useful thing is on the other side of the button.

So you click.

This does not mean you do not care about privacy. It does not even mean the choice was irrational in any simple sense. It may mean that the system arranged the choice so that disclosure was immediate, easy, socially normal, and rewarded, while the cost of disclosure was delayed, uncertain, hard to picture, and unlikely to be felt at the moment of decision.

That gap is often called the privacy paradox: people report that privacy matters to them, yet often disclose personal data in ways that seem to undermine that concern. The phrase is useful, but only if we treat it as the beginning of the question rather than the answer.

The interesting question is not “why do people say one thing and do another?” People do that in many areas of life. The better question is: what kind of environment makes this pattern so predictable?

The problem with blaming the user

A common explanation is that people are careless. They do not read. They do not understand. They want convenience. There is some truth in this, but it does not explain very much by itself. Carelessness is a summary label for a behavioral pattern, not yet an explanation of how the pattern is produced (the distinction between descriptions and explanations in behavioral science will be covered in future articles). If millions of people repeatedly make similar privacy choices across different services, devices, and institutions, we should look beyond individual “weakness”. We should ask what behavior the environment is selecting for.

Most digital privacy choices are not calm decisions made with full attention and clear alternatives. They are small interruptions inside another task. The person is trying to get somewhere: into a service, into a conversation, into a file, into an online community, into a payment flow. The privacy decision is rarely the main activity. It is a gate on the way to the main activity. That is important, because the immediate consequences are uneven. By this I mean if you accept (the cookie banner, the sharing activity etc), the service opens. The page loads. The app works. The group remains available. The benefit is positive, immediate, and certain.

If you refuse, the result is friction. You may lose functionality. You may need to find settings, read unclear wording, make sense of consequences that are deliberately hard to compare. Sometimes refusal is available in theory but buried in practice. Sometimes the alternative is simply not using a service that other people, employers, schools, friends, or institutions expect you to use.

The privacy consequence (the “cost”), by contrast, is usually delayed and vague. It might involve profiling, manipulation, discrimination, unwanted inference, loss of control, or data being used in a context you did not anticipate. These are serious issues, but they are rarely felt at the moment of “clicking”. They arrive later, if at all, and often through systems too large and opaque for one person to trace, or understand.

This is why privacy choices are harder than they look. The short-term consequences are concrete. The long-term consequences are abstract.

What behavioral science tells us

Behavioral economics helps explain why delayed and uncertain consequences often lose against immediate ones. Prospect theory, developed by Daniel Kahneman and Amos Tversky, challenged the idea that people evaluate risky choices as if they were rational, perfect “calculators”. People do not add up objective probabilities and final outcomes. They respond to reference points, gains, losses, uncertainty, and the literal way a choice is framed.

In privacy, the reference point (the baseline) is often already one that includes a history of repeated disclosure. Many people have spent years accepting terms, allowing tracking, sharing location, signing into services, and moving through defaults that normalise data collection. From that baseline, another permission can feel like a small additional loss. Refusing can feel more costly because it threatens access to something immediate: a conversation, a tool, a social space, or a practical task.

This does not mean prospect theory explains everything about privacy. It was developed for choices where outcomes and probabilities can be described more clearly than most privacy harms can. But it gives us a useful distinction: privacy decisions are not just about what people value in the abstract. They are also about how the choice is framed at the moment it is made.

Delay discounting adds a second useful distinction. Delayed consequences often lose practical force as the delay grows. This is easy to see with money: a smaller reward now can pull harder than a larger reward later. Privacy decisions have a similar structure, but with an important complication. The future cost is not only delayed. It is also uncertain, cumulative, and difficult to picture.

Websites, apps, and platforms present repeated trade-offs: immediate access to functionality versus the gradual accumulation of personal data by third parties. Each individual permission may seem trivial. Over time, those small permissions can combine into behavioral profiles, inferences, and forms of influence that the user did not meaningfully evaluate at any single moment.

Behavior analysis adds another useful lens. Instead of starting with hidden preferences, it asks what behavior is being rewarded (or more accurately, reinforced), what is being punished, what is made easy, what is made difficult, and what consequences arrive soon enough to affect future behavior.

On many websites and apps, disclosure is rewarded immediately. Accept the banner and the obstruction disappears. Share the data and the service becomes available. Allow the permission and the feature works. Post the content and responses, likes, engagement arrives. These are not dramatic rewards, but they are close in time and repeated often.

Privacy-protective behavior is usually different. It may require reading, searching, comparing, disabling, remembering, returning later, accepting a less convenient experience, and even paying for more secure options and procedures. The benefit is often the absence of a future problem. That is important, but it is not always very motivating in the moment. Avoided harm is harder to feel than immediate access.

In plain terms, the path of disclosing data is often positive, immediate, and certain. The path of protecting your information is often effortful, delayed, and uncertain. That is not a small design detail. It is the behavioral architecture of the decision.

This is one reason access to information on its own is a weak privacy intervention. Telling people to care more about privacy does not change the fact that the system may reward disclosure and make protection effortful any more than telling an overweight person to eat less and exercise more is an effective method for weight management. A warning can matter, but only if it competes with the actual consequences arranged by the environment.

Consent fatigue is not a mystery

Repeated prompts also teach behavior. When people see similar banners again and again, they learn the quickest route through them. The banner becomes less like a meaningful choice and more like a small obstacle to quickly jump past. Click the familiar button, get the desired page. Repeat that enough times and the response becomes almost automatic.

This is sometimes described as consent fatigue. Again, the label is useful, but it should not be mistaken for a full explanation - it explains nothing, it only describes the behavior that is taking place. The deeper point is that the system has trained a pattern: interruption, click, access. The visual form of the cookie banner becomes a cue for the response that has worked many times before. The person may still believe privacy matters. But in that moment, the behavior that works is the behavior that removes the obstacle.

This is also why privacy advice can fail even when the advice is reasonable. “Check the settings”, “read the terms”, “use the privacy-protective option” and “think before you click” are all rules. Rules can shape behavior, especially when they are simple, memorable, and socially reinforced. But rules are easily overridden when the direct consequence of ignoring them is immediate access and the consequence of following them is extra work.

This is also why defaults matter. A default is not just a neutral starting point. It can act as a recommendation, a shortcut, and a source of friction for anyone who wants something different. If the privacy-protective path is the default, many people will stay there. If the data-collecting path is the default, many people will stay there instead. This became evident through apples introduction to accept or reject tracking across apps on iOS - and an overwhelming majority rejected tracking outright.

The design question is therefore not only whether people have a choice. It is what kind of choice they have. How visible is the alternative? How much work does it take? What happens immediately after each option? Is the wording clear? Is the person choosing freely, or are they choosing under time pressure, social pressure, practical dependency, or exhaustion?

The bridge to biometrics and AI

This matters more as the data being requested becomes more sensitive.

It is one thing to accept a cookie banner without thinking carefully, if we apply the principles of threat modelling, the overall risk of constant cookie banner acceptance is, relatively speaking, low. Although for some of us, that too is considered invasive. There is however, no doubt that uploading a government ID, scan a face, share a biometric template, or pass through identity verification to access an AI service, online platform, workplace tool, or public-sector system, is a completely different threat assessment with much higher risk.

The behavioral pattern may be similar: immediate access on one side, delayed and uncertain privacy risk on the other. But the stakes are not the same. Biometric and identity data are harder to change, revoke, or replace than ordinary account data. If an email address leaks, you can create another. If your face, identity documents, or behavioral identity signals are captured, the problem is different.

That does not mean every identity check is illegitimate. Age assurance, personhood checks, fraud prevention, and trust and safety can all involve real problems. The question is whether the system asks for the minimum information needed for the actual purpose (often referred to as the principle of data minimisation), or whether a narrow need becomes a reason to collect far more than necessary.

This is where the privacy paradox becomes more than a curiosity. If people make privacy decisions inside environments that reward disclosure and hide future costs, then stronger demands for biometric verification cannot be evaluated only by asking whether a user clicked “I agree”. We also need to ask what was made easy, what was made hard, what alternatives existed, and whether the institution designed the choice responsibly.

What better governance should ask

A behavioral view of privacy does not remove individual responsibility. People still make choices, and some choices are better than others. But it shifts the centre of gravity.

Instead of asking only whether individuals made the right decision, we should ask whether organisations arranged the decision fairly. Did they minimise data collection? Did they make the protective option easy? Did they explain the trade off in plain language? Did they avoid turning refusal into exclusion? Did they measure whether people understood the choice, or only whether they clicked?

For AI-era identity systems, those questions become urgent. The issue goes deeper than fancy written privacy policy text. It is the behavioural architecture around the policy: the defaults, prompts, incentives, timing, friction, alternatives, and consequences.

If the environment makes disclosure of information the path of least resistance, we should not be surprised when people disclose. We should be careful about calling that a paradox. Sometimes it is exactly what the system was built to produce. The more useful response is likely not to shame people for inconsistent privacy behavior. It is to design, regulate, and procure systems that make privacy protection practical at the moment of choice.

That is where the next questions begin. What would consent look like if the protective option were genuinely easy? What would age assurance look like if the service only learned that a person was over the required age, not who they were? What would identity verification look like if institutions had to justify every step up the disclosure ladder?

Those are not abstract questions anymore. They are becoming the practical questions of biometrics in the age of AI.

Disclosure

This essay was drafted with AI assistance under my direction and edited for argument, tone, and accuracy before publication. I used AI to draw data from sources associated with my masters in behavioural science and articles I have written as part of my work at a University in Norway, to clarify my points and translate some complex behavioural science taxonomy into everyday vernacular. My company R&D Nordic advises on privacy, AI governance, and responsible technology adoption; this essay is published as general analysis, not legal advice.

Sources

  • Acquisti, A., Brandimarte, L., & Loewenstein, G. (2022). Privacy and

behavioral economics.

  • Barth, S., & de Jong, M. D. T. (2017). The privacy paradox: Investigating

discrepancies between expressed privacy concerns and actual online behavior.

  • Critchfield, T. S., & Kollins, S. H. (2001). Temporal discounting: Basic

research and the analysis of socially important behavior.

  • Green, L., & Myerson, J. (2004). A discounting framework for choice with

delayed and probabilistic rewards.

  • Kahneman, D., & Tversky, A. (1979). Prospect theory: An analysis of decision

under risk.

Share by email Talk to us